Download Review of the Personal Information Protection Act

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
Document related concepts
no text concepts found
Transcript 
CHECK AGAINST DELIVERY
Review of the Personal Information Protection Act
Jill Clayton, Information and Privacy Commissioner
Presentation to the Standing Committee on Alberta’s Economic Future
September 7, 2016 │ Edmonton, Alberta
Global Considerations for PIPA Review
Thank you for the opportunity to speak with you today. I’m joined today by my colleagues Kim
Kreutzer-Work, Director of Knowledge Management, and Amanda Swanek, who is an
Adjudicator with my office. I would like to mention that Kim, Amanda and I were all at the table
and involved in the first review of PIPA in 2007 – we’ve been working with this legislation for
quite a number of years now.
Since I last spoke to this committee in October last year, my office and numerous stakeholders
from across the province have had a chance to share our thoughts on how to improve this
important piece of legislation. The diversity of submissions and opinions was very interesting,
and reinforced for me that, by and large, stakeholders recognize the value of this legislation.
I know you’ve received my submission which sets out some ideas, suggestions and
recommendations to strengthen PIPA and ensure Alberta remains a leader in private-sector
privacy legislation across Canada and internationally. I don’t intend today to speak to the
specific recommendations made in that submission. But I do want to provide some context that
may be helpful to you as you deliberate possible amendments.
To start, I want to say a few words about PIPA’s “substantially similar” designation. I know you
are likely already familiar with this concept, but I think it’s important to remind ourselves of this
important principle and keep it front and centre when reviewing PIPA.
1 of 4
As you know, PIPA is a made-in-Alberta approach to balancing the privacy interests of Albertans
with business’ legitimate need to collect, use and disclose personal information to provide
goods and services. PIPA was purposefully designed to make privacy compliance as simple as
possible for small- and medium-sized organizations.
It’s important to remember, however, that PIPA was not created in a vacuum. There are other
global and national forces and principles that shaped how PIPA was drafted and how it must
function in order to be recognized within Canada and by other nations. And this should be kept
in mind when considering possible amendments to the legislation.
As you may be aware, federal private sector privacy legislation – Canada’s Personal Information
Protection and Electronic Documents Act, or PIPEDA – came into force on January 1, 2001 with
respect to federally-regulated businesses.
PIPEDA gave the provinces and territories the option of enacting their own private-sector
privacy legislation by January 1, 2004. If the provincial law was “substantially similar” to the
federal law, the provincial law would operate in that province. Otherwise the federal legislation
would apply to that province’s private sector. Quebec had already passed a private-sector
privacy law, which was deemed to be substantially similar. Alberta and British Columbia were
the only additional provinces to introduce private-sector privacy legislation by January 1, 2004.
In October of that year, PIPA was deemed substantially similar to the federal PIPEDA. This
effectively exempted provincially-regulated Alberta organizations from PIPEDA and ensured
local oversight by the provincial privacy commissioner.
Canada’s federal privacy legislation, PIPEDA, is deemed to have “adequacy” status as it relates
to European privacy law. This means that European law recognizes PIPEDA and, by extension,
“substantially similar” laws, such as Alberta’s PIPA. Therefore, Canadian businesses have
adequate protections for the transfer of Europeans’ personal information within our borders.
Without adequacy status, the transfer of personal information would be uncertain for
Canadian- and Alberta-based businesses when participating in the global knowledge economy.
2 of 4
Recently, the European Union overhauled its privacy law in the form of the General Data
Protection Regulation, or GDPR, which was approved by the European Parliament in April of this
year. The GDPR takes the place of the earlier Data Protection Directive, which was passed in
1995 and required each member state to implement its own privacy law. The GDPR is expected
to come into force in May 2018 and will apply to all member states and their citizens.
The GDPR has made privacy law across Europe stricter and enhanced the protections for
Europeans’ personal information in many areas, including around consent, accountability and
privacy management frameworks, breach notification, and privacy impact assessments.
So, why does this matter?
With the global reach of Canadian- and Alberta-based businesses, not to mention the ubiquity
of online activities generally, it goes without saying that the GDPR will affect how we do
business here at home – and it must be taken seriously in light of any discussion about
amendments to our laws governing the collection, use and disclosure of personal information.
With the new stricter provisions of the GDPR, the adequacy status of Canadian privacy law is
under scrutiny. Former Interim Privacy Commissioner of Canada Chantal Bernier has asked,
“Will adequacy survive the coming into force of the new GDPR… and how should governments
or business prepare in that regard?”1
No one knows at this time what might come of Canada’s “adequacy” status, nor am I suggesting
that PIPEDA and, by extension, PIPA will be deemed inadequate by the European Union. I am,
however, noting that in contemplating amendments to our own law, we should at the same
time be mindful of these global and national considerations.
I have kept this in mind in making my recommendations to this Committee. We should be
proud of the fact that in Alberta we are already ahead of the curve. For example, the new GDPR
mandates breach notification, which we have had in Alberta for six years now – in fact, we are
1
Retrieved Aug. 16, 2016 from http://www.privacyandcybersecuritylaw.com/impact-of-the-european-generaldata-protection-regulation-gdpr-on-adequacy-and-5-tips-to-weather-the-changes
3 of 4
the only private sector jurisdiction in Canada that have these provisions and the others –
Canada and British Columbia – are working diligently to catch up.
In addition, my office’s work with the Privacy Commissioner of Canada and the Information and
Privacy Commissioner of British Columbia to publish Getting Accountability Right with a Privacy
Management Program in 2012 anticipated and is aligned with the new legal requirements in
the GDPR around privacy management frameworks. This document provides guidance to
businesses for how they can manifest the principle of accountability within their own
organizations. In harmony with legislative reform that is taking place in other jurisdictions, I
have recommended that this Committee consider legislating the requirements of a privacy
management framework in PIPA.
Just a quick anecdote that when our three Canadian jurisdictions released our Getting
Accountability Right guidance, we received international accolades, including from the Chief
Privacy Officer of a multinational corporation who called it the “gold standard” for the world to
follow. And, it appears, the world, or at least the European Union, has indeed followed by
legislating privacy management frameworks in the GDPR.
In a global economy where private sector privacy law needs to be “substantially similar” and
“adequate”, and where private sector businesses are looking for certainty and consistency to
the extent possible in the many jurisdictions in which they operate, I’m suggesting we need to
be mindful when contemplating amendments that might weaken the legislation, or that would
be out of step with global and national considerations. And it’s important to remember that,
although legislative requirements and regulations may sometimes seem to be burdensome,
they also help to provide the public and business and service partners with stability and
reassurance, both of which are necessary to win customers and facilitate business and
information sharing.
I will end my comments here so as to be able to respond to any questions you may have. But I
would like to thank you for the opportunity to be here today, and I look forward to being of
assistance to the Committee as you continue this important work.
4 of 4
Related documents
Merenje koncentracije i trzisne moci privrednih
Merenje koncentracije i trzisne moci privrednih
Computer Science 9616a, Fall 2011 Project Description Your project
Computer Science 9616a, Fall 2011 Project Description Your project
Misc. Privacy Topics (concluding)
Misc. Privacy Topics (concluding)
Computer Science 9616b, Fall 2016 Project Description Your project
Computer Science 9616b, Fall 2016 Project Description Your project
Lecture for Chapter 2.3 (Fall 09)
Lecture for Chapter 2.3 (Fall 09)
Privacy Statement - Handprints and Footsteps
Privacy Statement - Handprints and Footsteps
HIPPA Compliance Form
HIPPA Compliance Form
Donor Privacy Policy
Donor Privacy Policy
Innovative Applications of Artificial Intelligence Techniques in
Innovative Applications of Artificial Intelligence Techniques in
Brian O - Omega Dental Group
Brian O - Omega Dental Group